CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 1CVE-2022-36090 – org.xwiki.platform:xwiki-platform-oldcore Improper Authorization check for inactive users
https://notcve.org/view.php?id=CVE-2022-36090
XWiki Platform Old Core is a core package for XWiki Platform, a generic wiki platform. Prior to versions 13.1.0.5 and 14.3-rc-1, some resources are missing a check for inactive (not yet activated or disabled) users in XWiki, including the REST service. This means a disabled user can enable themselves using a REST call. On the same way some resources handler created by extensions are not protected by default, so an inactive user could perform actions for such extensions. This issue has existed since at least version 1.1 of XWiki for instance configured with the email activation required for new users. • https://github.com/xwiki/xwiki-platform/commit/e074d226d9b2b96a0a1ba4349d1b73a802842986 https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-jgc8-gvcx-9vfx https://jira.xwiki.org/browse/XWIKI-19559 • CWE-285: Improper Authorization •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2022-29161 – Crypto script service uses hashing algorithm SHA1 with RSA for certificate signature in xwiki-platform
https://notcve.org/view.php?id=CVE-2022-29161
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. The XWiki Crypto API will generate X509 certificates signed by default using SHA1 with RSA, which is not considered safe anymore for use in certificate signatures, due to the risk of collisions with SHA1. The problem has been patched in XWiki version 13.10.6, 14.3.1 and 14.4-rc-1. Since then, the Crypto API will generate X509 certificates signed by default using SHA256 with RSA. Administrators are advised to upgrade their XWiki installation to one of the patched versions. • https://github.com/xwiki/xwiki-platform/commit/26728f3f23658288683667a5182a916c7ecefc52 https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-h8v5-p258-pqf4 https://jira.xwiki.org/browse/XWIKI-19676 • CWE-326: Inadequate Encryption Strength CWE-327: Use of a Broken or Risky Cryptographic Algorithm •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 1CVE-2022-24897 – Arbitrary filesystem write access from Velocity
https://notcve.org/view.php?id=CVE-2022-24897
APIs to evaluate content with Velocity is a package for APIs to evaluate content with Velocity. Starting with version 2.3 and prior to 12.6.7, 12.10.3, and 13.0, the velocity scripts are not properly sandboxed against using the Java File API to perform read or write operations on the filesystem. Writing an attacking script in Velocity requires the Script rights in XWiki so not all users can use it, and it also requires finding an XWiki API which returns a File. The problem has been patched in versions 12.6.7, 12.10.3, and 13.0. There is no easy workaround for fixing this vulnerability other than upgrading and being careful when giving Script rights. • https://github.com/xwiki/xwiki-commons/commit/215951cfb0f808d0bf5b1097c9e7d1e503449ab8 https://github.com/xwiki/xwiki-commons/pull/127 https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-cvx5-m8vg-vxgc https://jira.xwiki.org/browse/XWIKI-5168 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 1CVE-2022-24820 – Unauthenticated user can list hidden document from multiple velocity templates
https://notcve.org/view.php?id=CVE-2022-24820
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. A guest user without the right to view pages of the wiki can still list documents by rendering some velocity documents. The problem has been patched in XWiki versions 12.10.11, 13.4.4, and 13.9-rc-1. There is no known workaround for this problem. La plataforma XWiki es una plataforma wiki genérica que ofrece servicios de tiempo de ejecución para aplicaciones construidas sobre ella. • https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-qpp2-2mcp-2wm5 https://jira.xwiki.org/browse/XWIKI-16544 • CWE-306: Missing Authentication for Critical Function CWE-359: Exposure of Private Personal Information to an Unauthorized Actor •
CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 1CVE-2022-24819 – Unauthenticated user can retrieve the list of users through uorgsuggest.vm
https://notcve.org/view.php?id=CVE-2022-24819
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. A guest user without the right to view pages of the wiki can still list documents related to users of the wiki. The problem has been patched in XWiki versions 12.10.11, 13.4.4, and 13.9-rc-1. There is no known workaround for this problem. La plataforma XWiki es una plataforma wiki genérica que ofrece servicios de ejecución para las aplicaciones construidas sobre ella. • https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-97jg-43c9-q6pf https://jira.xwiki.org/browse/XWIKI-18850 • CWE-359: Exposure of Private Personal Information to an Unauthorized Actor •